As part of testing rbac evaluation requirements, I have been trying to create a loadable policy module that creates a new role that dominates a few of the existing roles. I am able to create a role using the dominance statement and "semanage user" correctly assigns other roles (which the new role dominates) to a user when that user is assigned the new role. From what I can see, I still have to setup needed access rights for the new domain associated with this new role. That makes sense, since roles only allow you access to a domain and are not involved in the access decision. So hierarchical roles only give you the ability to change into roles that you dominate but do not give you aggregate access rights of roles that you dominate, is that correct or am I missing something?
Let me explain what I am asking with an example. strict-mls policy has roles sysadm_r and secadm_r. I created a new role cnorris_r that dominates these two roles and runs in the default domain cnorris_t. A user xyz is assigned the cnorris_r. Now the user xyz can use newrole to switch into sysadm_r or secadm_r, to perform actions that those roles are allowed. However, as cnorris_r in cnorris_t domain, xyz cannot perform actions that they could as sysadm_r or secadm_r. Is that correct or am I missing some policy magic that will allow cnorris_r to perform sysadm_r/secadm_r duties directly (without newrole'ing to them)? Thanks. -Janak -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
